Burr-Feinstein anti-crypto proposal would undermine digital security everywhere
We at R Street have known for a while that Sens. Richard Burr, R-N.C. and Dianne Feinstein, D-Calif. were planning to propose anti-encryption legislation that would be truly terrible both for American citizens and for American businesses. But the senators’ “discussion draft,” released last night, exceeded our worst expectations.
Misleadingly named the “Compliance with Court Orders Act of 2016,” the proposed law would actually impose wide-ranging obligations on telephone companies, online-service providers and manufacturers of smartphones, computers and other digital devices that would weaken and perhaps cripple your digital security, including your use of encryption to keep your communications and data private.
Essentially, the proposal would require any company that provides you with digital security either to be able to give the government the keys to unlock your data or else to provide “technical assistance” to the Federal Bureau of Investigation (or the Internal Revenue Service or any other state or federal agency that obtains a court order) to help hack your data and devices. It’s the equivalent of requiring a company that makes safes, like Diebold or Sentry Group, to sell only safes that government safe-crackers can break into.
Well, actually, it’s worse. As I’ve written, we find ourselves increasingly keeping far more self-revealing information on our phones or computers than we do even in our houses or apartments—the sheer scope of the digital information that we may use encryption to protect (for now!) is massive. If Congress can mandate digital insecurity for your phone, a state or city entity may not even need to do a physical search of your house or car to prosecute you. Sens. Burr and Feinstein take the view that if you’re foolish enough to use a smartphone or computer, government ought to be able to have access to anything you use those devices to communicate, process or store.
Here’s what the Burr-Feinstein proposal would require:
Any “covered entity” (more on that in a moment) that receives a court order placed by any government entity shall be responsible for “providing data in an intelligible format if such data have been made unintelligible by a feature, product or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity.” In short, if you use a feature like Microsoft’s or Apple’s full-disk encryption on your digital devices, the Redmond and Cupertino industry giants will have to either provide government with “backdoors” to your data or else provide hacking assistance.
But wait: how do we know that the Burr-Feinstein proposal will reach so much further than smartphones (although it’s bad enough that the senators want to weaken smartphone security)? Simple: the proposed law defines “covered entity” (that is, the companies that are included in the mandate) as “a device manufacturer, a software manufacturer, an electronic communication service, a remote computing service, a provider of wire or electronic communication service, a provider of a remote computing service, or any person who provides a product or method to facilitate a communication or the processing or storage of data.” So it’s not just your phone company, but also your computer vendor, the maker of your phone and any online service that stores anything on your behalf (this could include Amazon’s cloud services, as well as Google, Apple and Microsoft).
We at R Street are as sympathetic as anyone to the government’s need to provide both national security and law enforcement. But requiring companies that provide ever-stronger digital security to enable the weakening of digital security is simply perverse.
It’s also based on a misunderstanding of the balances struck in our Bill of Rights that aim to limit the scope of government power. Oddly, the senators, like the FBI, seem to believe that the Fourth Amendment is a grant to government of a fundamental right to succeed in every investigation upon which it embarks. But the plain language of the Fourth Amendment makes it clear that the amendment is supposed to operate as a limit on government power, not a grant to government of a right to investigatory success:
The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
It’s a right “of the people,” not a right belonging to the FBI, the Securities and Exchange Commission, the IRS, or to local or state police. Yes, there’s a provision for “Warrants,” but John Adams and the other framers of the Bill of Rights didn’t just limit the Fourth Amendment to situations involving warrants and court orders. Instead, they framed the Fourth Amendment more broadly, to prohibit “unreasonable” searches and seizures.
Should Congress mandate that our digital devices be made hackable and snoop-able by every government entity in this country (and, as a result, to every other government entity in any other country around the world that might have jurisdiction over Apple, Google, Microsoft, etc.)? In the digital age, when we keep our whole lives on our computers and phones, this new mandate meets every definition of “unreasonable.”
